This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Tom Scholtz
Build an Effective Security and Risk Governance Function: It's Much More Than Just Reporting
Key Issues
1. What are current security and risk governance best practices?
2. What processes and activities constitute effective security and risk governance?
3. What structures and forums are required?
Some Context: IT Governance —Gartner Definition
• IT governance is made up of processes with activities, inputs, outputs, roles and responsibilities.
• IT governance's role is identified as "ensuring" as opposed to "executing."
• The goal of IT governance is a business goal.
• Key performance measures are effectiveness and efficiency.
"The processes that ensure the effective and
efficient use of IT in enabling
an organization to achieve its goals"
Gartner's IT Governance Model
Governance
• Goals• Domains• Principles• Decision Rights• Styles
Governance Strategy
Governance Operations
Supply SideGovernance
(How Should We Do What We Do?)
Primary Responsibility: Change Discipline Mgmt. (e. g., IT, BPM)
DemandGovernance
(What Should We Work on?)
Primary Responsibility: Business Management
BusinessStrategy
Development
Change DisciplineBudgeting
Develop DemandGovernance Processes
StrategyImplementation
Planning
Design Investment Portfolios
Investment Evaluation
Criteria
Intra-/Inter-enterprise
Prioritization
Demand Governance
Implementation
BoardGovernance
Gov.Effectiveness(Metrics, etc.)
ExecutionEfficiency &
Effectiveness
InvestmentFunding
& Chargeback
RiskManagement
Spending/Project
Oversight
Councils/Committees
Issue Escalation/Resolution
BusinessBenefits
Realization
Business UnitPrioritization
Plan Implement Manage Monitor
EnterpriseArchitecture
• Develop Policies• Implement• Manage• Monitor Compliance
Security
• Develop Policies• Implement• Manage• Monitor Compliance
CorporateCompliance
• Develop Policies• Implement• Manage• Monitor Compliance
ProjectManagement
• Develop Policies• Implement• Manage• Monitor Compliance
Standards,Methodologies
& Tools
• Develop Policies• Implement• Manage• Monitor Compliance
Procurement
• Develop Policies• Implement• Manage• Monitor Compliance
Etc.• Develop Policies• Implement• Manage• Monitor Compliance
Supply-Side Governance Domains
Information Security and Risk Governance
The processes that ensure that reasonable and appropriate actions are taken to protect the organization's information resources, in the most effective and efficient manner, in pursuit of its business goals:
- Sets and manages accountability and decision rights.
- Allocates resources.
- Arbitrates between conflicting security requirements and risk affinities.
- Provides assurance to the executive and stakeholders that information risk is appropriately managed.
The Gartner Information Security and Risk Governance Model
Plan
Program Strategy
Architecture
Policy Management
Strategy
Budget Planning
P1
P2
P3
P4
Implement
Develop Governance Processes
InstituteGovernance
Forum(s)
Policy Development
I1
I2
I3
Manage
Funding
Accountabilities
Conflict Conciliation or
Arbitration
Program/Project
Oversight
M1
M2
M3
M4
Monitor
Project Assessments
Value Assessments
Operational Oversight
Metrics & Measurement
M5
M6
M7
M8
Best Practice Approach
Governance Objectives: Manifested by:Sets and manages accountability and decision rights.
• Policy Management• Organization
Allocates resources. • Strategy• Budget Planning• Funding
Arbitrates between conflicting security requirements and risk affinities.
• Committee Discussions• Mandates
Provides assurance to the executive and stakeholders that information risk is appropriately managed.
• Oversight and Assessments• Measurement and Reporting
Resource Allocation
Plan
Program Strategy
Architecture
Policy Management
Strategy
Budget Planning
Implement
Develop Governance Processes
InstituteGovernance
Forum(s)
Policy Development
Manage
Funding
Accountabilities
Conflict Conciliation or
Arbitration
Program/ Project
Oversight
Monitor
Project Assessments
Value Assessments
Operational Oversight
Metrics & Measurement
Security Strategy Planning
Business Strategy
Vision Statement
EnvironmentalTrends
Current State Assessment
Gap Analysis
Approval
Prioritization
Reporting
Policy and Accountabilities
Plan
Program Strategy
Architecture
Policy Management
Strategy
Budget Planning
Implement
Develop Governance Processes
InstituteGovernance
Forum(s)
Policy Development
Manage
Funding
Accountabilities
Conflict Conciliation or
Arbitration
Program/ Project
Oversight
Monitor
Project Assessments
Value Assessments
Operational Oversight
Metrics & Measurement
Corporate Risk Manager
Security Organization Dynamics
Governance
CorporateInfoSec Team
• Risk Management• Policy Management• Program Management• BCM• Architecture• Awareness
ESPESP
IT Ops• Implementation• Administration
ESP
IT InfoSec Team
• Risk Assessment• Design and Implementation• DRP• Security Monitoring• Vulnerability Assessment
ESP
BU InfoSec Teams
• BCP• Awareness• Local Policy Management
CIO
LOB Management
Effective Policy Management
Benefits of a policy framework:
• Defines a foundation that doesn't change often
• Documents can be kept short and concise
• Improves communication with stakeholders and auditors
• Establishes a clear connection from "what" to "how"
• Facilitates document standardization for consistency
• Simplifies storage and online retrieval of related policy documents
Guidelines
Charter
Specific Policies
GenericPolicies
Standards Procedures
Mandatory
Life
time
1-12 Months
3-5Years
Optional
Has a broader scope and wider applicability
More specific in scope and applicability
Manage Conflict
Plan
Program Strategy
Architecture
Policy Management
Strategy
Budget Planning
Implement
Develop Governance Processes
InstituteGovernance
Forum(s)
Policy Development
Manage
Funding
Accountabilities
Conflict Conciliation or
Arbitration
Program/ Project
Oversight
Monitor
Project Assessments
Value Assessments
Operational Oversight
Metrics & Measurement
Conflict Resolution
• Approaches:- Dictatorial
- Collaborative/Consensus — Mediation
- Procedural (Have a Given Procedure to Assess and Allocate Risks and Benefits)
- Arbitration
• Escalation
Provide Assurance
Plan
Program Strategy
Architecture
Policy Management
Strategy
Budget Planning
Implement
Develop Governance Processes
InstituteGovernance
Forum(s)
Policy Development
Manage
Funding
Accountabilities
Conflict Conciliation or Arbitration
Program/ Project
Oversight
Monitor
Project Assessments
Value Assessments
Operational Oversight
Metrics & Measurement
Balanced Scorecards, Risk -Adjusted Value Management (RVM) and Maturity
Balanced Scorecard:• Overall strategic
management model.• Links security activities to
objectives to business goals.• Not real time.• Combines reporting and
management.
RVM:• About business alignment.
• Map KRIs into KPIs.
• Develops causal chains from risks to business impact.
• Stand-alone, but can support balanced scorecard.
Balanced scorecards and RVM are complementary.
Gartner ITScore• Measure and understand program maturity — benchmark against other organizations.• Objective basis for upward, outward and downward communication.• Identify and assess gaps for remediation and opportunities to improve your formal
program for risk management and security.
Gartner ITScore can provide a foundation
for these tools.
Security Governance Forums
Forums Functions Outcomes
Executive Sponsor
• Set accountability and authority
• Policy legitimacy and awareness
• Authority of the information security program
High-Level Council(s)
• Policy and strategy definition• Program oversight• Conciliation/arbitration• Budget allocation• Approvals and exemptions
• Policy and strategy• Budgets• Priorities
MidlevelCouncil(s)
• Project oversight• Local policy definition• Reporting
• Local policies• Reports
Information Security Team(s)
• Project oversight• Operations oversight• Policy compliance monitoring• Reporting
• Compliance certifications and exceptions
• Reports
Aut
horit
yA
ssurance
Sample Implementation
Information Security
CommunicationsForum
InformationSecurity Advisory
Board
Corporate Information Security Steering Committee
Information Security Program
Governance
CorporateInfoSec Team
ESPESP
ESPBU InfoSec Teams
ESP
ESP IT InfoSec Team
IT Ops
Through 2015, 70% of large enterprises will successfully establish mature risk governance processes, up from 25% in 2011.
Strategic Planning Assumption
Recommendations
�Formalize a common definition of security and risk governance in your organization.
�Define and implement an information security and risk governance function that is integrated with the organization's corporate and IT governance functions.
�Focus on the governance processes and functions, rather than on the organizational position of the activities.
Recommended Gartner Research
� Introducing the Gartner Information Security Governance ModelTom Scholtz (G00201410)
� Information Security and Risk Governance: Forums and CommitteesTom Scholtz, F. Christian Byrnes (G00207477)
� Information Security and Risk Governance: Functions and ProcessesTom Scholtz (G00210937)
� Security Governance and Operations Are Not the SameRob McMillan, Tom Scholtz (G00206708)
� Survey Analysis: Information Security Governance, 2012Tom Scholtz (G00233398)
For more information, stop by Gartner Research Zone.